Password security for Email/Password users

MongoDB Realm’s SDKs provide the ability to register users using an email and password.

However I can’t find anything in the documentation describing how passwords are stored. What hashing scheme is used? Are passwords salted?

The only information I can find is “the password must be between 6 and 128 characters”. Are there are restrictions on characters used? Are passwords expired?

I’d like to know as much as possible so I can assess the security of private user data.

Hi Martin,

Are there are restrictions on characters used?

No, but you can enforce on the client.

Are passwords expired?

No, they are not by default. This is logic you will have to implement yourself.

Are passwords salted and hashed?

Yes they are salted and hashed with SHA256.

Hope that helps!

Yes that’s very helpful. Thank you.

What about password format validation? I’m able to register users with a password 123456 which is a big security issue.